Network Control Policy
This policy configures the network control settings for the Cisco UCS domain, including the following:
-
Whether the Cisco Discovery Protocol (CDP) is enabled or disabled
-
How the virtual interface ( VIF) behaves if no uplink port is available in end-host mode
-
The action that Cisco UCS Central takes on the remote Ethernet interface, vEthernet interface , or vFibre Channel interface when the associated border port fails
-
Whether the server can use different MAC addresses when sending packets to the fabric interconnect
-
Whether MAC registration occurs on a per-VNIC basis or for all VLANs
Action on Uplink Fail
By default, the Action on Uplink Fail property in the network control policy is configured with a value of link-down. For adapters such as the Cisco UCS M81KR Virtual Interface Card, this default behavior directs Cisco UCS Central to bring the vEthernet or vFibre Channel interface down if the associated border port fails. For Cisco UCS systems using a non-VM-FEX capable converged network adapter that supports both Ethernet and FCoE traffic, such as Cisco UCS CNA M72KR-Q and the Cisco UCS CNA M72KR-E, this default behavior directs Cisco UCS Central to bring the remote Ethernet interface down if the associated border port fails. In this scenario, any vFibre Channel interfaces that are bound to the remote Ethernet interface are brought down as well.
Note |
if your implementation includes those types of non-VM-FEX capable converged network adapters mentioned in this section and the adapter is expected to handle both Ethernet and FCoE traffic, we recommend that you configure the Action on Uplink Fail property with a value of warning. Note that this configuration might result in an Ethernet teaming driver not being able to detect a link failure when the border port goes down. |
MAC Registration Mode
MAC addresses are installed only on the native VLAN by default, which maximizes the VLAN port count in most implementations.
Note |
If a trunking driver is being run on the host and the interface is in promiscuous mode, we recommend that you set the MAC Registration Mode to All VLANs. |
Configuring a Network Control Policy
MAC address-based port security for Emulex converged Network Adapters (N20-AE0102) is not supported. When MAC address-based port security is enabled, the fabric interconnect restricts traffic to packets that contain the MAC address that it first learns. This is either the source MAC address used in the FCoE Initialization Protocol packet, or the MAC address in an ethernet packet, whichever is sent first by the adaptor. This configuration can result in either FCoE or Ethernet packets being dropped.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr) # scope org org-name |
Enters organization mode for the specified organization. To enter the root organization mode, enter / as the org-name . |
Step 3 |
UCSC(policy-mgr) /org # create nw-ctrl-policy policy-name |
Creates the specified network control policy, and enters organization network control policy mode. |
Step 4 |
UCSC(policy-mgr) /org/nw-ctrl-policy # {disable | enable} cdp |
Disables or enables Cisco Discovery Protocol (CDP). |
Step 5 |
UCSC(policy-mgr) /org/nw-ctrl-policy # set uplink-fail-action {link-down | warning} |
Specifies the action to be taken when no uplink port is available in end-host mode. Use the link-down keyword to change the operational state of a vNIC to down when uplink connectivity is lost on the fabric interconnect, and facilitate fabric failover for vNICs. Use the warning keyword to maintain server-to-server connectivity even when no uplink port is available, and disable fabric failover when uplink connectivity is lost on the fabric interconnect. The default uplink failure action is link-down. |
Step 6 |
UCSC(policy-mgr) /org/nw-ctrl-policy # set mac-registration-mode {all-host-vlans | only-native-vlan |
Whether adapter-registered MAC addresses are added only to the native VLAN associated with the interface or added to all VLANs associated with the interface. This can be one of the following:
|
Step 7 |
UCSC(policy-mgr) /org/nw-ctrl-policy # create mac-security |
Enters organization network control policy MAC security mode |
Step 8 |
UCSC(policy-mgr) /org/nw-ctrl-policy/mac-security # set forged-transmit {allow | deny} |
Allows or denies the forging of MAC addresses when sending traffic. MAC security is disabled when forged MAC addresses are allowed, and MAC security is enabled when forged MAC addresses are denied. By default, forged MAC addresses are allowed (MAC security is disabled). |
Step 9 |
UCSC(policy-mgr) /org/nw-ctrl-policy/mac-security # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Creates a network control policy named ncp5
-
Enables CDP
-
Sets the uplink fail action to link-down
-
Denies forged MAC addresses (enables MAC security)
UCSC# connect policy-mgr
UCSC(policy-mgr)# scope org /
UCSC(policy-mgr) /org # create nw-ctrl-policy ncp5
UCSC(policy-mgr) /org/nw-ctrl-policy* # enable cdp
UCSC(policy-mgr) /org/nw-ctrl-policy* # set uplink-fail-action link-down
UCSC(policy-mgr) /org/nw-ctrl-policy* # create mac-security
UCSC(policy-mgr) /org/nw-ctrl-policy/mac-security* # set forged-transmit deny
UCSC(policy-mgr) /org/nw-ctrl-policy/mac-security* # commit-buffer
UCSC(policy-mgr) /org/nw-ctrl-policy/mac-security #
Deleting a Network Control Policy
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr) # scope org org-name |
Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name . |
Step 3 |
UCSC(policy-mgr) /org # delete nw-ctrl-policy policy-name |
Deletes the specified network control policy. |
Step 4 |
UCSC(policy-mgr) /org # commit-buffer |
Commits the transaction to the system configuration. |
Example
The following example deletes the network control policy named ncp5:
UCSC# connect policy-mgr
UCSC(policy-mgr)# scope org /
UCSC(policy-mgr) /org # delete nw-ctrl-policy ncp5
UCSC(policy-mgr) /org* # commit-buffer
UCSC(policy-mgr) /org #